The Russian Advanced Persistent Threat (APT) group, “Sofacy” (also known as APT28, FancyBear, Sednit, Strontium, and TsarTeam) has been observed conducting a new campaign using weaponised documents, according to Palo Alto researchers. The objective of this campaign is to infect recipients with the “Cannon” or “Zebrocy” trojans; Cannon is a new trojan identified to be used by the group while Zebrocy has been observed in past campaigns. APT28 is using custom documents, in this case, Word, that attempt to load a template from an actor-controlled Command and Control (C2) server. If the document is able to contact the C2, the template is loaded which results in the document asking the recipient to enable macros. If the macro is enabled, the infection process begins for Cannon or Zebrocy depending on the weaponised document.

Recommendation: This story serves as a reminder to avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.